White PapersWhen computers were first networked together to communicate and share resources, technologies such as the Internet and Web Services were just science fiction, and security was more about the locks on the doors. But all that started to change as corporate networks became one small part of a global Web that everyone could have access to. Companies soon started to adopt a fortress mentality with network perimeter security, based on technologies such as firewalls, anti-virus and intrusion detection to protect corporate networks, applications and assets.
This approach has gone a long way to provide adequate levels of security. But things are changing yet again, driven by two key factors. Firstly, businesses are increasingly aware that a growing proportion of threats are from inside. And these threats come not just from disgruntled or corrupt employees who wish to steal data or damage systems; they can come from inadvertent exposure by otherwise well-meaning and trustworthy staff.
For example, more and more company staff use laptops and mobile devices that move inside and outside of the network, exposing the network to infiltration by threats such as viruses and Trojans. This means that IT managers must now treat every connection on the internal network as ‘dirty’. There is no longer a so-called ‘trusted enterprise’. And even if you can trust your staff, you can’t trust their devices!
The second key driver is the increasing demand for anywhere, anytime access from virtually any device in the world. And it’s no longer just about picking up e-mail; employees, customers, suppliers and partners can do their jobs more efficiently if they have 24x7 access to key data and business applications. This presents the challenge of managing an unknown number of fixed or wireless devices as valid access points to the corporate network.
TRUST NO ONEWhi l e cor por at e net wor ks ar e exposed t o i ncr easi ng secur i t y t hr eat s f r om out si deand i nsi de t hei r t r adi t i onal boundar i es, end user s ar e demandi ng gr eat er access t ot hei r i nf or mat i on r esour ces f r om anywher e and at anyt i me. Chr i s Hopen, CTO andco- f ounder of Avent ai l expl ai ns how l eadi ng or gani sat i ons ar e now r i si ng t o t hesechal l enges by i nver t i ng t hei r net wor ks.Untitled DocumentTRUST NO ONEWhen comput er s wer e f i r st net wor ked t oget her t o communi cat e and shar e r esour ces,t echnol ogi es such as t he I nt er net and Web Ser vi ces wer e j ust sci ence f i ct i on, andsecur i t y was mor e about t he l ocks on t he door s. But al l t hat st ar t ed t o change ascor por at e net wor ks became one smal l par t of a gl obal Web t hat ever yone coul d haveaccess t o. Compani es soon st ar t ed t o adopt a f or t r ess ment al i t y wi t h net wor kper i met er secur i t y, based on t echnol ogi es such as f i r ewal l s, ant i - vi r us and i nt r usi ondet ect i on t o pr ot ect cor por at e net wor ks, appl i cat i ons and asset s.Thi s appr oach has gone a l ong way t o pr ovi de adequat e l evel s of secur i t y. But t hi ngsar e changi ng yet agai n, dr i ven by t wo key f act or s. Fi r st l y, busi nesses ar e i ncr easi ngl yawar e t hat a gr owi ng pr opor t i on of t hr eat s ar e f r om i nsi de. And t hese t hr eat s comenot j ust f r om di sgr unt l ed or cor r upt empl oyees who wi sh t o st eal dat a or damagesyst ems; t hey can come f r om i nadver t ent exposur e by ot her wi se wel l - meani ng andt r ust wor t hy st af f . For exampl e, mor e and mor e company st af f use l apt ops and mobi l edevi ces t hat move i nsi de and out si de of t he net wor k, exposi ng t he net wor k t oi nf i l t r at i on by t hr eat s such as vi r uses and Tr oj ans. Thi s means t hat I T manager s mustnow t r eat ever y connect i on on t he i nt er nal net wor k as di r t y . Ther e i s no l onger a so-cal l ed t r ust ed ent er pr i se . And even i f you can t r ust your st af f , you can t t r ust t hei rdevi ces!The second key dr i ver i s t he i ncr easi ng demand f or anywher e, anyt i me access f r omvi r t ual l y any devi ce i n t he wor l d. And i t s no l onger j ust about pi cki ng up e- mai l empl oyees, cust omer s, suppl i er s and par t ner s can do t hei r j obs mor e ef f i ci ent l y i ft hey have 24x7 access t o key dat a and busi ness appl i cat i ons. Thi s pr esent s t hechal l enge of managi ng an unknown number of f i xed or wi r el ess devi ces as val i daccess poi nt s t o t he cor por at e net wor k.Untitled DocumentInv/2Deconstructing the NetworkSo with the combination of more threats from within and the drive for greater remoteaccess, maintaining an effective perimeter-based security is becoming morecomplex. And more significantly, even when this approach is successful, it onlyaddresses part of the security problem. Network architects need a new approach tobuild borderless global enterprise networks where security is inherently built into theentire network, rather than applied only to the interface between the internal networkand the outside world. Leading companies are beginning to move their networksprecisely in this direction. This trend is becoming known as de-perimeterisation or creating an inverted network .In effect, an inverted network is one that partitions traditional networks where everyuser, system or device on the inside is assumed to have the same level of trust intoa number of smaller pieces, each sharing common trust attributes. These varioustrust domains are protected from one another by internal firewalls and perimetersecurity. Typically, the multiple trust domains will contain either application serversand data centre resources or groups of users. These users, for example, may bedefined geographically or by job function or relationship to the business; however, ingeneral, they will fall into two categories the public domain and semi-trusted users.The secret is to trust no user, system or device completely and to verify any trust thatyou extend within and beyond a trust domain.So, the essence of an inverted network is to add security perimeters directly aroundthese individual trust domains and provide secure access control and authorisationbetween domains. One immediate benefit is that this prevents transitive trust-basednetwork threat attacks within the enterprise. For example, a virus such as Blaster or myDoom would be quarantined to the singletrust domain that was penetrated, rather than run rampant throughout the entireenterprise at large.Untitled DocumentI nv/ 3The r ol e of t he SSL VPNI n t heor y, t hi s appr oach appear s t o make a l ot of sense, but exi st i ng cor por at enet wor k ar chi t ect ur es and per i met er secur i t y have t aken year s t o evol ve; what cant ake i t s pl ace? A r api dl y emer gi ng t echnol ogy t o addr ess t he anywher e accesschal l enge i s t he SSL VPN ( Secur e Socket s Layer Vi r t ual Pr i vat e Net wor k) . Unl i ket r adi t i onal VPNs based on I PSec ( I nt er net Pr ot ocol Secur i t y) t echnol ogy, SSL VPNsof f er cl i ent l ess and cl i ent - based access f r om any devi ce wi t h an I nt er net connect i on.These devi ces may i ncl ude a machi ne on someone el se s net wor k, an ai r por t ort r adeshow I nt er net ki osk, a home PC, or a wi r el ess l apt op or PDA.The machi ne may al so be your company- suppl i ed- and- managed deskt op or l apt opl ocat ed on t he ent er pr i se s l ocal f i xed or wi r el ess net wor k and associ at ed wi t h t hepr oper t r ust domai n. SSL VPNs pr ovi de t he i deal sol ut i on f or pr ovi di ng access cont r olbet ween t he i ndi vi dual t r ust domai ns. As t hey al r eady pr ovi de t hi s capabi l i t y i n t hef or m of r emot e access f r om t he unt r ust ed I nt er net t o ent er pr i se appl i cat i ons, t hey canpr ovi de t he same secur i t y and access cont r ol wi t hi n an i nver t ed ent er pr i se net wor k.I n ef f ect , i nt er nal access and ext er nal access become t he same; what was onceconsi der ed as secur e r emot e access si mpl y becomes secur e access bet weenmanaged or unmanaged net wor ks and devi ces, acr oss t r ust domai ns whet her i nsi deor out si de t he ent er pr i se.Because SSL VPNs use exi st i ng convent i onal t r anspor t pr ot ocol s, t hey can wor k wel lover al l f or ms of net wor k medi ums such as br oadband, sat el l i t e, wi r el ess and evencel l ul ar net wor ks. Communi cat i ons r i de on t op of t he st andar d TCP and/ or UDPt r anspor t s, so t r af f i c can t r aver se net wor k addr ess t r ansl at i on ( NAT) devi ces, pr oxy-based f i r ewal l s and st at ef ul i nspect i on f i r ewal l s maki ng t r ue anywher e accesspossi bl e, even f r om behi nd a f i r ewal l .Untitled DocumentInv/4However, many SSL VPN solutions support access to Web-enabled applicationsonly, which is of very limited use to people that are used to accessing all of theirclient/server and legacy business applications on the corporate LAN.But by deploying a simple Java agent, the leading SSL VPN provider Aventail allowsusers to have immediate secure access to applications from vendors such as SAP,Peoplesoft, Siebel, Oracle, Citrix, Microsoft and Lotus. The Java agent is onlypresent during the session and there is no trace on the user machine once theconnection has been terminated. To complete the full secure access portfolio in asingle solution, Aventail also provides a remotely managed Windows client thatfurther enhances functionality and extends connectivity to legacy software andterminal applications.With a secure proxied connection to authorised resources, users wherever they are never have a direct connection to the application they are trying to access. And bycombining proxy servers with SSL it is possible to provide other types ofauthentication beyond the conventional exchange of digital certificates that SSLallows, such as Username/Password or 2-factor authentication, or even biometrics.End Point ControlWhile there are increasingly sophisticated ways of making sure that the user is theperson he or she claims to be, providing secure access to enterprise applicationsfrom just about any computing device with an Internet connection raises the questionas to whether that is enough.The security problem potentially goes far beyond just authenticating users andextends to managing risks inherent in users computing environments theiroperating systems, browsers, applications and even the type of network. Withaccess devices that may include airport or tradeshow Internet kiosks, hotelcomputers, wireless PDAs or a friend s home PC, threats such as Trojan horses, keystroke loggers and uncontrolled viruses and worms are even greater.Untitled DocumentI nv/ 5The concept of End Poi nt Cont r ol i s t o aut hor i se t he appr opr i at e l evel of access f oraut hent i cat ed user s, gi ven t he known r i sk of t he envi r onment . For exampl e, f ul laccess t o busi ness appl i cat i ons may be gr ant ed f r om a cor por at e- managed deskt opcompar ed t o l i mi t ed access, such as si mpl y checki ng emai l f r om a machi ne i n acyber caf .Thi s cont r ol can be achi eved by i nt egr at i ng t ool s and t echnol ogi es t o enf or ce secur i t yat t he end poi nt , such as per sonal f i r ewal l s t hat ar e i nst al l abl e as deskt op i mages oras t r ansi ent sof t war e agent s wr i t t en i n Java or Act i veX. Deskt op i nt egr i t y checki ngsof t war e scans t he comput er and r egi st er s i t as saf e , or scans i t per i odi cal l y wi t h anupdat ed pr of i l e t o ensur e new t hr eat s ar e r out i nel y i dent i f i ed and r emoved. And ofcour se, deskt op oper at i ng syst em vendor s have a power f ul i ncent i ve t o cr eat ei ncr easi ngl y t r ust wor t hy pl at f or ms.Unl i ke ot her r emot e access t echnol ogi es, End Poi nt Cont r ol i s an i nt r i nsi c capabi l i t yof SSL VPNs and compani es such as Avent ai l ar e al r eady wor ki ng cl osel y wi t hvendor s such as Bl uef i r e Secur i t y Technol ogi es, For t i net , Foundst one, i Pass, Swi vel ,Sygat e Technol ogi es, RSA Secur i t y, Whol eSecur i t y and Zone Labs t o del i ver acompl et e sol ut i on t o anal yse, aut hent i cat e and secur e t he r emot e envi r onment .However , End Poi nt Cont r ol put s an addi t i onal l oad on t he pol i cy managementsyst em of t he secur e access ar chi t ect ur e t hat now i ncl udes bot h i nt er nal and ext er naluser s. For t hat r eason, i t i s cr i t i cal l y i mpor t ant t hat pol i cy syst ems can scal e t oaccommodat e t he i ncr easi ngl y sophi st i cat ed demands of t he mul t i - domai n ent er pr i seas secur e access ext ends t o an i ncr easi ng r ange of devi ces and t o a f ar br oader setof user s and appl i cat i ons.Wi t h an i nt egr at ed and f ul l y- scal eabl e obj ect - based SSL VPN pol i cy model , i t i spossi bl e f or t he net wor k admi ni st r at or t o pr ovi de f i ne- gr ai ned access cont r ol r ul est hat pr eci sel y def i ne whi ch i ndi vi dual s or gr oups have access t o whi ch appl i cat i onsf r om whi ch t ypes of end poi nt devi ces.Untitled DocumentInv/6With an inverted network and multiple trust domains, authorisation can be centralisedand be independent of the application servers and the perimeter access controls.The future of the Inverted NetworkThis concept of the inverted network or de-perimeterisation is increasinglyresonating with large corporations. Aventail is already working with a number ofmajor organisations on pilot projects, and in the UK a number of FTSE 100businesses including the Royal Mail, BBC and BP, have publicly supported the ideaof de-perimeterisation. David Lacey, director of security and risk managementtechnology, services and innovation at Royal Mail, said, "Because the networkperimeter does not provide adequate protection, organisations are building barriersaround groups of users. Supply chain-led moves to break up the security cordon willbe built on several technologies such as virtual private networks. The coming generation of secure access is less about technology and more aboutbusiness productivity in a secure environment. The business imperative is to giveemployees and business partners the right level of access to the right enterpriseresources and information from wherever they are. And it is becoming increasinglylikely that SSL VPN technology developed to meet the demand for secure remoteaccess will now play a major role in delivering the secure inverted network. www.aventail.com
